bundle

package

v1.7.5 Latest Latest Go to latest Published: May 16, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/controlzero-ai/controlzero-go

Links

Open Source Insights

Documentation ¶

Overview ¶

Package bundle parses the .czpolicy signed binary bundle format.

See docs/designs/policy-bundle-format.md for the authoritative spec.

This package is a pure-function parser: given bundle bytes plus the project encryption key and signing public key, it either returns the decrypted policy payload as a map[string]any, or a typed error.

No I/O. No network. No global state. All fetching, caching, and retries live in the hosted_policy module.

Wire format (little-endian):

offset  size  field
0       4     magic           ASCII "CZ01"
4       2     schema_version  uint16
6       8     created_at      uint64 UNIX seconds
14      2     policy_count    uint16 (informational)
16      4     sig_offset      uint32 (absolute byte offset of signature)
20      4     sig_len         uint32 (must be 64)
24      8     reserved        must be zero
32      N     payload         authenticated-encryption over zstd(json)
32+N    64    signature       detached signature over header[0:32] || payload

Index ¶

Variables
func TranslateToLocalPolicy(payload map[string]any) map[string]any
type FormatError
- func (e *FormatError) Error() string
type Header
type ParseOptions
type Parsed
- func Parse(blob []byte, encryptionKey []byte, signingPubkey []byte, opts *ParseOptions) (*Parsed, error)
type SignatureError
- func (e *SignatureError) Error() string

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	ErrBadMagic = errors.New("bundle: bad magic")
)

Errors surface-level convenience (matches Python/Node API shape).

Functions ¶

func TranslateToLocalPolicy ¶

func TranslateToLocalPolicy(payload map[string]any) map[string]any

TranslateToLocalPolicy converts a decrypted bundle payload to the local-mode policy map accepted by LoadPolicy. Sorts policies by `priority` ascending so every SDK produces identical decisions from identical input.

Types ¶

type FormatError ¶

type FormatError struct{ Msg string }

FormatError is returned for wire-format problems (bad magic, wrong version, truncated, trailing bytes).

func (*FormatError) Error ¶

func (e *FormatError) Error() string

type Header ¶

type Header struct {
	SchemaVersion uint16
	CreatedAt     uint64
	PolicyCount   uint16
	SigOffset     uint32
	SigLen        uint32
}

Header carries the fixed fields at the front of a bundle.

type ParseOptions ¶

type ParseOptions struct {
	// MaxBundleBytes bounds how big a blob we will accept. Zero means
	// the default (16 MiB).
	MaxBundleBytes int
}

ParseOptions configures optional behavior.

type Parsed ¶

type Parsed struct {
	Header  Header
	Payload map[string]any
}

Parsed is the decoded output of Parse.

func Parse ¶

func Parse(
	blob []byte,
	encryptionKey []byte,
	signingPubkey []byte,
	opts *ParseOptions,
) (*Parsed, error)

Parse verifies the signature, decrypts, and decodes a policy bundle.

Returns:

*FormatError for malformed wire format.
*SignatureError for signature / AEAD failures.

type SignatureError ¶

type SignatureError struct{ Msg string }

SignatureError is returned for signature, AEAD, or crypto failures. Distinct from FormatError: both fail closed, but this one indicates the bundle was tampered with or we have the wrong keys.

func (*SignatureError) Error ¶

func (e *SignatureError) Error() string

Source Files ¶

View all Source files

bundle.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL